[TriLUG] OT: Disinfecting a Club's Website

Scott Chilcote scottchilcote at att.net
Tue Aug 27 10:12:36 EDT 2013


On 08/19/2013 09:52 PM, Kevin Hunter Kesling wrote:
> I encountered an attack on a similar setup where we only had
> user-level access awhile back.  After consulting this here group, I
> ended up creating an (absolute) kludge until we could get the hosting
> company to clean up it's act (because changing at that time was also
> not an option).  I implemented a very similar solution to Alan's: git
> + remote cron + md5sums.
>
>   * Git: As Alan suggested.
>
>   * Remote cron: i.e., we weren't allowed to run cron on the
>     infected machine, so we did it remotely, checking every 10
>     minutes via ssh.
>
>   * md5sums: after running the 'git reset --hard' command, the
>     ssh+cron setup also compared md5sum:
>
>         $ find . -type f -print0 | sort | xargs -0 cat | md5sum
>
> Since the attack appeared to be automated, the last step with the
> md5sums was perhaps overkill, but it gave me peace of mind (such as a
> comprised account/machine allows, of course) that I would know almost
> instantly if something went further awry.
>
> Good luck,
>
> Kevin

Many thanks to you Kevin, and Aaron, Alan, and Tim for the great
suggestions.  I loved the idea of running periodic checksum comparisons
via ssh, very creative!

The club needs to give this ISP the heave-ho. There is a fair amount of
inertia among the long term officers, so I'm hoping that the possibility
of being blacklisted provides sufficient leverage.

   Scott C.

-- 
Scott Chilcote
Cary, NC USA
scottchilcote at att.net



More information about the TriLUG mailing list